Setting up local homes on Active Directory-bound Apple servers.

I had an interesting issue crop up recently, where I was setting up three Mac XServes for a group of developers coming over from the Linux side. These servers were being bound to Active Directory, which has a number of nice advantages for me in terms of management, especially in the realm of password management, but there was one issue that needed taken care of.

On Unix (like Linux and OS X), when you get an account, your account is set up with an associated home folder. You don’t generally have an account on a server where you don’t have a home, or where your account’s home folder is located on another server (and possibly another platform as well.) With Active Directory though, that’s perfectly possible. This is usually pretty easy to resolve on the desktop and laptop side, where you configure the AD plug-in to either force a local home or set up a mobile home when you log in at OS X’s GUI Login Window. On a server, it’s not so easy because users generally are not standing in front of the server and logging in via the OS X Login Window; they’re accessing it via SSH or another method of remote access. So how do you set them up with a local home?

Log into the server as an admin then run the following commands:

cd /System/Library/CoreServices/mcxd.app/Contents/Resources
sudo ./MCXCacher -U <user shortname>
sudo createhomedir -c -u <user shortname>

Easy as that. Running those commands will first tell the MCXCacher program to create a mobile user in NetInfo with cached credentials, and then the createhomedir program will make a home folder in whatever place you have set to be the folder that houses your homes. Your users will then get correctly sent to their home folder after logging in via SSH, and single-sign-on with Kerberos will also work just fine.

New look.

I’ve decided to update the look of the blog somewhat, while still keeping the Mac look-and-feel. Hope everyone likes it.

Utterly killing Kerberos on your Open Directory Master.

Recently, I got an email from one of the mailing lists I’m on asking if anybody knew how to stop an Open Directory’s Kerberos server and keep it stopped. It’s not generally a good idea to kill your Kerberos service on your OD Master, but if you have a circumstance where you need it, here’s a way to kill it and keep it dead.

After creating your OD Master and verifying that everything is running the way it should be, open Terminal and enter the following command:

sudo sso_util remove -k -a <admin username> -p <password>

When this process is done running, all keytabs and the kadmin process on your OD Master will be killed. To be thorough, you may want to run the other following commands:

sudo rm /etc/krb5.keytab
sudo rm /Library/Preferences/edu.mit.Kerberos

What I’ve described above will kill Kerberos and stop it running. Unfortunately, what I don’t know is how to restart it after it’s been killed (short of an erase and fresh install) so don’t do this unless you need it. As always, also please test this carefully before doing it on your production box.